Find the answer to your Linux question:
Results 1 to 3 of 3
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Linux Guru kkubasik's Avatar
    Join Date
    Mar 2004
    Lat: 39:03:51N Lon: 77:14:37W

    Unusualy active firewall?

    I was recently having issues with some programs and decided to put my Linux box in a DMZ, and as a result, bypassed all the normal firewalling functions of my router/nat. I installed iptables and a graphical frontend for it 'firestarter'. My outgoing rules are permissive with only blacklist traffic, and my incoming rules drop all except for the ports specified (22,25, 80,110 for the moment). The primary reason I installed the graphical frontend was for its system tray notification feature. As a result I have noticed upd connections (generaly on or around ports 1024-1026, but all over) from a multitude of IP's several times a minute. I host a site on the machine, but its just a personal blog and rarely sees more that 25 uniqe IP's a day. I can provide the actual logs should someone want to see them, but i was wondering: is this much traffic normal? My guess is that some forwarding feature on my router is sending information to different ports then they originate at, but something like that seems to be ineffective.

    any experiances that might help?

    (the router is a D-link should that make a difference)
    Avoid the Gates of Hell. Use Linux
    A Penny for your Thoughts

    Formerly Known as qub333

  2. #2
    Linux Guru
    Join Date
    Oct 2001
    Täby, Sweden
    Yes, it's normal. There are millions of worm infected zombie boxes on the Internet that probes computers for presence and vulnerabilities all the time. I use to get a couple of hundred break-in attempts per day on HTTP only. I don't even monitor attempted TCP connections, but I'd say it's a safe bet that they are many.

  3. #3
    Just Joined!
    Join Date
    Jul 2005
    Albuquerque, NM
    I noticed many attempts, one about every thirty seconds, or maybe less. Most are directed to ports 1026-UDP and 1027-UDP. Occasionally they attempt ports 1434-TCP/HTTPS, 22-TCP, 1433-TCP/Ms-sql-s. Also get unknown ports-ICMP. Most are from the same IPs, must have bots running all the time. I get many from my own ISP, but most come from China.
    I have no idea what these are, but I do know they do not get through.



Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts